This morning's signal is ugly but clear. Identity attacks are still the cheapest way in, hardware-level escalation is becoming more practical, ransomware crews keep refining defense evasion, and old operators are finally getting named. Defenders should spend today on MFA hardening, driver control, and fast containment, not vanity dashboards.
The top story is an Iran-linked password-spraying campaign that hit more than 300 Microsoft 365 organizations in Israel, with spillover targets in Europe, the U.S., the U.K., Saudi Arabia, and the UAE. That matters because password spraying remains embarrassingly effective against cloud estates that still tolerate weak passwords, soft conditional access, or patchy MFA enforcement.
At the same time, researchers detailed GPUBreach, a GPU rowhammer technique that can corrupt GDDR6 memory, tamper with GPU page tables, and potentially pivot into full system compromise through NVIDIA driver bugs. That is not just a lab curiosity. It is a warning shot for teams betting heavily on shared accelerator infrastructure for AI workloads.
Check Point linked three March attack waves to an Iran-nexus operator using password spraying from Tor and commercial VPN infrastructure. The campaign reportedly focused on government, municipal, technology, transportation, energy, and private-sector organizations, with mailbox data theft as a likely objective.
The lesson is boring and brutal. Password spraying keeps working because too many tenants still allow legacy protocols, weak geofencing, stale service accounts, and inconsistent MFA. If your identity layer is loose, an attacker does not need an exploit, just patience.
Researchers from the University of Toronto showed that bit flips in GDDR6 can corrupt GPU page tables and hand arbitrary GPU memory read and write access to an unprivileged CUDA kernel. From there, newly discovered driver bugs can enable a jump toward broader host compromise, even with IOMMU enabled.
That should worry any team running shared GPU fleets for AI training, inference, or multi-tenant research. Consumer GPUs without ECC look particularly exposed. Hardware isolation stories around AI stacks are not mature enough to trust blindly.
German federal police identified two Russian nationals as leaders behind GandCrab and REvil and tied them to at least 130 extortion cases in Germany. Naming actors years later will not undo the damage, but it does raise the cost of openly recycling old infrastructure, old brands, and old affiliate trust networks.
The strategic value is pressure, not closure. Ransomware ecosystems survive on the belief that operators can disappear into myth. Public attribution chips away at that shield, even when arrests lag far behind.
Cisco Talos and Trend Micro described Qilin and Warlock tradecraft that uses bring-your-own-vulnerable-driver techniques, in-memory payloads, ETW suppression, and process termination against more than 300 EDR drivers. In plain English, the crews are spending their time on silencing your sensors before detonating their payloads.
That is the real operational lesson this morning. Mature ransomware intrusions are no longer smash-and-grab events. They are quiet preparation campaigns. If you only measure ransomware readiness at encryption time, you are measuring the failure state.
First, review sign-in telemetry for low-and-slow password spraying, impossible travel, and repeated failures across many accounts using a small password set. Second, tighten conditional access and kill legacy authentication if it still exists. Third, validate driver block rules and EDR tamper protections on endpoints that matter most.
Finally, if you operate GPU-backed AI infrastructure, treat accelerator hosts like crown-jewel systems. Separate tenants, prefer ECC-capable hardware where possible, harden driver update hygiene, and stop pretending the AI layer is magically isolated from the rest of the estate.
Turn today's headlines into action.
KENSAI helps security teams turn threat reporting into concrete validation, faster triage, and proof that controls still work under pressure.
Start Your Free Scan →